Federal agencies are urging individuals and organizations to stay vigilant against a rising ransomware threat that has affected hundreds of new victims in recent weeks. The FBI, Cybersecurity and Infrastructure Security Agency (CISA), and Multi-State Information Sharing and Analysis Center (MS-ISAC) have jointly issued an advisory detailing the tactics used by Medusa ransomware and how to mitigate its impact.
First identified in June 2021, Medusa is a ransomware-as-a-service (RaaS) variant that primarily targets critical infrastructure sectors, including healthcare, education, legal, insurance, technology, and manufacturing. Through the RaaS model, the ransomware's developers delegate attack execution to affiliates, who have collectively compromised over 300 victims in the past month alone.
Initially, Medusa operated as a closed ransomware variant, where the same group that developed the malware also carried out attacks. However, it has since evolved into an affiliate-driven model, with developers recruiting attackers from dark web forums and paying them between $100 to $1 million per job.
Cybercriminals behind Medusa employ two primary attack vectors:
- Phishing campaigns – Fraudulent emails trick users into downloading malicious attachments or clicking harmful links.
- Exploiting unpatched vulnerabilities – Attackers take advantage of outdated software to infiltrate company networks.
Once inside, they utilize various legitimate tools to expand their access:
- Advanced IP Scanner and SoftPerfect Network Scanner – Used to detect exploitable network vulnerabilities.
- PowerShell and Windows command prompt – Help compile lists of targeted network resources.
- Remote access tools like AnyDesk, Atera, and Splashtop – Assist in lateral movement across the system.
- PsExec – Enables execution of files and commands with system-level privileges.
To avoid detection, attackers often disable security tools using compromised or signed drivers. They also delete PowerShell history and leverage Certutil to conceal their activity.
Similar to other ransomware strains, Medusa follows a double-extortion strategy. Not only do attackers encrypt stolen data, but they also threaten to leak it publicly if the ransom is not paid. Victims typically have 48 hours to respond, after which they may be contacted via phone or email.
A Medusa data leak site displays ransom demands along with a countdown timer. If victims need more time, they can delay the data release by paying $10,000 in cryptocurrency per extra day. Meanwhile, attackers may attempt to sell the stolen data to third parties even before the timer expires.
Federal authorities recommend the following preventative measures to reduce the risk of Medusa attacks:
- Patch vulnerabilities – Keep all operating systems, software, and firmware updated.
- Network segmentation – Prevent attackers from moving across connected systems.
- Traffic filtering – Restrict access to internal services from untrusted sources.
- Disable unused ports – Close unnecessary entry points to minimize security risks.
- Backup critical data – Store multiple copies of important files in an isolated location.
- Enable multifactor authentication (MFA) – Secure all accounts, especially those used for webmail, VPNs, and critical systems.
- Monitor network activity – Use security tools to detect unusual patterns and alert administrators to potential threats.
By implementing these strategies, organizations can significantly lower their chances of falling victim to Medusa ransomware and other evolving cyber threats.